[Git][security-tracker-team/security-tracker][master] 2 commits: Remove no-dsa tags for upcoming glib2.0/stretch update

Mon Jun 6 15:18:50 BST 2022


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
80aa198e by Markus Koschany at 2022-06-06T16:17:48+02:00
Remove no-dsa tags for upcoming glib2.0/stretch update

- - - - -
3a282b03 by Markus Koschany at 2022-06-06T16:18:40+02:00
Reserve DLA-3044-1 for glib2.0

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -81971,7 +81971,6 @@ CVE-2016-20009 (** UNSUPPORTED WHEN ASSIGNED ** A DNS client stack-based buffer
 CVE-2021-28153 (An issue was discovered in GNOME GLib before 2.66.8. When g_file_repla ...)
 	- glib2.0 2.66.7-2 (bug #984969)
 	[buster] - glib2.0 2.58.3-2+deb10u3
-	[stretch] - glib2.0 <postponed> (Minor issue, directory traversal exploitable in file-roller)
 	NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2325
 CVE-2021-3435
 	RESERVED
@@ -85138,13 +85137,11 @@ CVE-2021-21299 (hyper is an open-source HTTP library for Rust (crates.io). In hy
 CVE-2021-27218 (An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before  ...)
 	- glib2.0 2.66.7-1 (bug #982779)
 	[buster] - glib2.0 2.58.3-2+deb10u3
-	[stretch] - glib2.0 <postponed> (fix along with CVE-2021-27219)
 	NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1942
 	NOTE: Test case depends on CVE-2021-27219 fix
 CVE-2021-27219 (An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before  ...)
 	- glib2.0 2.66.6-1 (bug #982778)
 	[buster] - glib2.0 2.58.3-2+deb10u3
-	[stretch] - glib2.0 <postponed> (requires fixing vulnerable rdeps, follow buster strategy)
 	NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2319
 	NOTE: Fix introduces new API 'g_memdup2'
 	NOTE: Fix backport in 2.66.7 adds 'g_memdup2' for internal use but does not allow fixing reverse-dependencies using vulnerable 'g_memdup'


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[06 Jun 2022] DLA-3044-1 glib2.0 - security update
+	{CVE-2021-27218 CVE-2021-27219 CVE-2021-28153}
+	[stretch] - glib2.0 2.50.3-2+deb9u3
 [06 Jun 2022] DLA-3043-1 pidgin - security update
 	{CVE-2022-26491}
 	[stretch] - pidgin 2.12.0-1+deb9u1


=====================================
data/dla-needed.txt
=====================================
@@ -75,10 +75,6 @@ gerbv
   NOTE: 20220326: CVE-2021-40401 is fixed https://salsa.debian.org/lts-team/packages/gerbv/-/blob/debian/stretch/debian/patches/CVE-2021-40401.patch (Anton)
   NOTE: 20220326: CVE-2021-4040{0,2,3} do not have confirmed upstream fixes yet. (Anton)
 --
-glib2.0 (Markus Koschany)
-  NOTE: 20220529: Programming language: C.
-  NOTE: 20220523: Follow buster: harmonize with with Debian 10.10 (3 CVEs) (Beuc/front-desk)
---
 golang-github-hashicorp-go-getter (Thorsten Alteholz)
   NOTE: 20220529: Programming language: Go.
   NOTE: 20220528: limited golang support in stretch (cf. stretch release notes)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b526681161ce2744e2e0149f628421b8651ff3f2...3a282b03f469dc9c5868e17ab5a034182f4f596e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b526681161ce2744e2e0149f628421b8651ff3f2...3a282b03f469dc9c5868e17ab5a034182f4f596e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220606/5cafdb30/attachment.htm>
